feat: add pnpm as package manager#224
Draft
serendipty01 wants to merge 3 commits into
Draft
Conversation
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Context & Requests for Reviewers
fixes #337
Why pnpm over npm?
Disk space efficiency — pnpm uses a content-addressable store where all package files are saved in a single location and hard-linked into each project's
node_modules. If you have 100 projects using a dependency, npm stores 100 copies on disk; pnpm stores one. When a new version changes only one file out of 100, only that single file is added to the store rather than cloning the entire package. DocsFaster installations — pnpm performs installation in three concurrent stages — dependency resolution, directory structure calculation, and linking — where packages are resolved, fetched, and hard-linked as soon as possible, rather than npm's sequential resolve-then-fetch-then-write approach. Docs
Strict, correct
node_modules— npm maintains a flattened dependency tree, which means source code can accidentally access packages that aren't declared inpackage.json. pnpm uses symlinks so only direct dependencies are visible at the top level, helping avoid bugs caused by relying on undeclared transitive dependencies. DocsNo phantom dependencies — pnpm does not allow installation of packages without saving them to
package.json, so projects won't accumulate extraneous packages over time.Note
For Coop,
jest-snapshotand@types/express-serve-static-coreare added.Supply chain security — pnpm v10+ ships with several built-in protections that npm lacks:
postinstallscripts in dependencies, and lets you explicitly allowlist only trusted packages viaallowBuilds.minimumReleaseAgeto 1440 minutes (1 day), meaning newly published packages won't be resolved until they are at least a day old, giving the community time to detect compromised versions.trustPolicysetting can prevent installation of a package if its trust level has decreased compared to previous releases (e.g., a package that was previously published by a trusted publisher but now lacks provenance).Note
This is not present in PR as builds are breaking due to many outdated dependencies.
Adopted by major open-source projects — pnpm's workspace feature is already used by some of the most prominent projects in the ecosystem like Next.js, Vue, Vite, Nuxt, Astro, SvelteKit, n8n etc.
Reference:
https://pnpm.io/pnpm-vs-npm
Tests
(Optional) Rollout Plan